Malicious Go Module Impersonates Crypto Library
A new 'cryptography trojan' is targeting developers by impersonating a foundational Go module. The malicious library is designed to steal passwords and deploy root backdoors. The incident underscores the growing need for dependency pinning and regular security audits in all development pipelines, including MLOps.
The malicious module, identified as `github[.]com/xinfeisoft/crypto`, was a deliberate imitation of Go's foundational cryptography library, `golang.org/x/crypto`. This type of attack, known as typosquatting or namespace confusion, preys on developers accidentally mistyping a package name, and is an increasingly common vector for supply chain attacks. The backdoor was strategically placed inside the `ssh/terminal/terminal.go` file, specifically within the `ReadPassword` helper function. This allowed the malware to intercept any passwords, API keys, or other credentials entered interactively in a terminal, exfiltrating them to an attacker-controlled server before executing its next stage. Upon successfully stealing credentials, the malware's stager script would add the attacker's SSH key to the system's `authorized_keys` file, creating persistent access. It would then attempt to weaken firewall rules before downloading and executing the primary payload: a Linux backdoor known as Rekoobe. Rekoobe is a known trojan, previously associated with the Chinese nation-state group APT31, that gives attackers remote control over the compromised system. Its capabilities include executing arbitrary commands, uploading and downloading files, and establishing a reverse shell for direct interaction with the infected machine. This incident highlights the critical role of Go's built-in security features. The `go.mod` file pins dependency versions, while the `go.sum` file contains cryptographic hashes of every dependency. This ensures that any changes to a module's code would be flagged as a mismatch, preventing the silent injection of malicious code and making builds reproducible and verifiable. Software supply chain attacks are a rapidly growing threat, with malicious packages in open-source repositories increasing by over 1,300% between 2020 and 2023. The global economic impact of these attacks is projected to reach $60 billion in 2025 and over $80 billion by 2026, demonstrating the escalating financial and security risks.
